publish hashes of signing keys

[grrrrr]

On Android, you can use AppVerifier to confirm if an apk was signed by the owners or an untrusted key (as well as other methods). This can be combined with Obtanium to check at install time.

The hashes could be published in a number of places for additional trust. e.g

• blog post
• gpg signed download
• mastodon / twitter /...
• Github

[fibelatti]

Hey @grrrrr, thanks for bringing this to my attention. I'm gonna look into how I can support this further, but out of the official download sources the only one that would benefit from this is GitHub.

• Google Play uses its own singing key, so I wouldn't have access to the hash
• IzzyOnDroid would also benefit, but I'm working with Izzy to add support for Reproducible Builds, so in a way regardless of the signing you know that the binary is exactly as built from source

Nevertheless, if it doesn't get in the way I'll certainly look into making each build more trustworthy

[fibelatti]

Hi @grrrrr, I have updated the README to include the SHA-256, you can find it here.

Thanks for your suggestion, I'm closing this issue now but feel free to re-open it if something is not right.